Is AI HIPAA Compliant for Therapists?

What Actually Determines If You’re Protected or Exposed

Most therapists are starting to ask the same question right now: is AI HIPAA compliant?

It sounds like the right question, especially with how quickly these tools are showing up in documentation, marketing, and even clinical workflows. The problem is that the question itself is incomplete, and if you stop there, it can create a false sense of security.

AI and HIPAA is not just about what you are typing into a tool. It is about what that tool can access, what it can interact with, and how it is configured inside your practice. Once you look at it that way, it changes how you evaluate all of it.

Why “Is This AI Tool HIPAA Compliant?” Isn’t the Right Question

HIPAA does not certify tools. It does not label platforms as compliant or noncompliant, and it does not give blanket approval to any software just because it is widely used.

What HIPAA actually evaluates is how protected health information is handled within your practice under the HIPAA Privacy Rule. That means a tool can be capable of being used in a compliant way, but that does not automatically make your use of it compliant.

The difference comes down to what information is involved, what access the tool has, and whether the proper safeguards are actually in place. In practical terms, that includes whether the tool is connected to systems that contain PHI, whether a Business Associate Agreement is required and in place, and whether your settings have been intentionally configured or simply left at default.

This is where assumptions tend to take the place of something you can actually point to and verify.

⚠️ AI Is Not
 “HIPAA Compliant”

HIPAA does not approve tools. It evaluates how protected health information is handled.

A tool can be HIPAA-capable. Your use of it is what determines compliance.

If you cannot clearly explain what the tool can access, how it is configured, and how its use is documented in your practice, then you do not have a compliance answer yet.

The Bigger Risk Most People Are Missing

A lot of the current conversation around AI focuses on prompts. People try to stay on the safe side by avoiding identifying details, assuming that if they do not enter protected health information, they are not creating risk.

The issue is that prompts are only one part of the picture.

Many AI tools now integrate with other systems or allow you to upload, store, and connect information in ways that extend far beyond a single interaction. Once a tool has access to your email, documents, or cloud storage, you are no longer just dealing with a prompt. You are dealing with a system that may be creating, receiving, maintaining, or transmitting protected health information, which falls under the requirements of the HIPAA Security Rule.

That means the compliance decision has to account for more than just what you’re typing into the tool.

A More Accurate Way to Look at AI and HIPAA

A more practical way to evaluate AI in your practice is to step back and look at how it functions across four areas. This is the same framework I use when walking therapists through AI risk.

Input refers to what information is being entered into the tool. Output is what the tool generates and where that information goes. Access includes any systems, files, or data the tool can interact with. Automation covers what the tool can do or trigger beyond a single prompt.

Most of the risk tends to show up in access and automation, not just input, which is why simply avoiding PHI in prompts does not fully address the issue.

AI risk evaluation framework for therapists showing four areas: input (what you enter), output (where it goes), access (what it can reach), and automation (what it can do beyond you), highlighting that most risk occurs in access and automation.

What Actually Determines Whether Your AI Use Is Compliant

AI does not sit outside of HIPAA. It falls under the same expectations that apply to any system that creates, receives, maintains, or transmits protected health information. These requirements are defined under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.

From there, it becomes a question of whether your current compliance setup actually accounts for it.

At a minimum, your practice should be able to demonstrate that AI tools have been evaluated as part of your Security Risk Analysis. The requirement to identify and assess risks to protected health information, including new technologies, is established under the Security Rule at 45 CFR §164.308(a)(1)(ii)(A).

It also means that any vendor with access to PHI must be evaluated from a Business Associate standpoint, that your configuration settings are intentionally managed, and that your internal policies clearly define how these tools can and cannot be used.

Even a platform that is capable of supporting HIPAA compliance can create risk if access permissions, integrations, or data handling settings are not properly controlled. And just as importantly, anyone in your practice using these tools needs to understand those boundaries. Without that, even a well-configured system can be used in ways that create exposure.

Where Therapists Are Getting This Wrong Right Now

Most of what’s happening right now isn’t intentional. They are coming from small gaps that add up.

Some therapists assume that paying for a higher tier of a tool automatically makes it compliant. Others believe that avoiding PHI in prompts is enough to eliminate risk. Many are connecting tools to systems like email or cloud storage without fully evaluating what access is actually being granted.

There is also a tendency to rely on vendor marketing language instead of documented safeguards, and in many cases, AI is being used without ever being addressed in a Security Risk Analysis or written policy.

Individually, these may not seem like major issues. From a compliance standpoint, they are exactly the kinds of gaps that matter.

A Simple Way to Pressure-Test Your Own Use of AI

If you are currently using or considering using AI in your practice, you should be able to clearly answer a few key questions.

  • What information can this tool access, directly or indirectly?
  • Where is that information stored or processed?
  • Does the vendor offer a Business Associate Agreement?
  • How is the tool configured within your systems?
  • Has this been evaluated and documented in your Security Risk Analysis?

If those answers aren’t clear, your compliance picture isn’t either. If you are not evaluating how a tool interacts with protected health information, you are missing a core requirement of HIPAA’s risk analysis standard under 45 CFR §164.308(a)(1)(ii)(A).

The Bottom Line

Most therapists believe they are compliant until they are asked to prove it.

AI is not changing the rules. It is exposing where those rules have not been fully implemented.

The practices that are in the strongest position are not the ones avoiding AI altogether. They are the ones who understand how these tools function, how they connect to the rest of their systems, and how to document those decisions in a way that holds up if they are ever questioned.

Because at the end of the day, HIPAA is not about what you think you are doing right. It is about what you can actually prove.

AI is moving faster than most compliance guidance, which is exactly why the responsibility falls back on the practice to evaluate, configure, and document its use appropriately. The tools will continue to evolve. The standard for compliance does not.

Stay Updated on Compliance Changes

Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.

If you want clear, practical updates you can actually use, you can join my email list below.

If You’re Using AI, This Applies to You

If you are using AI in your practice, the real question is not whether the tool is compliant. It is whether you have actually evaluated how it interacts with protected health information and documented that decision.

For a lot of practices, that step hasn’t actually been done yet.

If you want a clear way to identify where your gaps are, you can start with the free HIPAA compliance checklist here:
https://www.guardianclinicalessentials.com/get-freebies/

And if you have never completed a Security Risk Analysis or are not sure how to evaluate tools like AI within it, you can learn more here:
https://www.guardianclinicalessentials.com/hipaa-risk-assessment-therapists/

Sources – Federal HIPAA Guidance

This article is based on federal HIPAA requirements and guidance from the U.S. Department of Health & Human Services.

HIPAA Privacy Rule
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

HIPAA Security Rule
https://www.hhs.gov/hipaa/for-professionals/security/index.html

HIPAA Breach Notification Rule
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Security Risk Analysis Guidance (HHS)
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.

Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.

Learn more about her work with mental health practices.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials
Related HIPAA Resources

If you want to better understand how these issues connect to your practice, these may be helpful:

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy